Header graphic for print

HL Chronicle of Data Protection

Privacy & Information Security News & Trends

Posted in Consumer Privacy

Department of Education Issues “Model Terms of Service” and Other Guidance on Student Privacy Compliance

PTADOn February 26, the U.S. Department of Education issued guidance aimed at assisting schools and school districts when considering whether the use of online educational services and mobile applications complies with student privacy laws.  The guidance consisted of two main components.  First, the Department published a document entitled Protecting Student Privacy While Using Online Educational Services:  Model Terms of Service, which evaluates common privacy-related provisions in online Terms of Service and analyzes how they comply with student privacy requirements.  Second, the Department produced a user-friendly, 10-minute training video directed to K-12 administrators, teachers, and staff about schools’ privacy obligations when using online educational services and applications.  Finally, the guidance encourages school administrators to check the Student Privacy Pledge when considering whether to use online educational services in the classroom.

This follows Department of Education guidance issued almost exactly a year ago, which we summarized in a detailed Client Alert at the time, about the privacy obligations of schools and school districts when considering online service providers and applications.  That guidance commented that schools should review online educational service providers’ online Terms of Service (TOS) prior to sharing student data with online services to determine whether the TOS are consistent with privacy requirements under laws like the Family Educational Rights and Privacy Act (FERPA), the Children’s Online Privacy Protection Act (COPPA), and the Protection of Pupil Rights Amendment (PPRA). Continue Reading

Posted in Consumer Privacy

Obama Administration Releases Privacy Bill of Rights Discussion Draft

WhiteHouse_LogoFollowing President Obama’s announcement last month  that the administration would be proposing a consumer privacy bill of rights, the Obama Administration today posted its proposed legislation. Check back here soon for further information about the proposal.

To access the administration’s discussion draft “Consumer Privacy Bill of Rights Act,” click here.

Posted in Consumer Privacy

What Will be the Impact of the New EU Data Protection Regulation on the UK’s Freedom of Information Act?

EU-diploma-shutterstock_135556283-250The future of the s. 40 exemption

Undoubtedly one of the more mind-bending exemptions to apply under the Freedom of Information Act 2000 (FOIA) is the exemption for personal information (s.40) (although sections 30 and 36 are also up there!). This is partly due to s. 40’s close link with the Data Protection Act 1998 (DPA). Not one to hog the limelight, the DPA has typically been cited in past litigation as a secondary or even tertiary issue to the main action when there is a claim for breach of confidence or breach of privacy. This led to a scarcity of judicial rulings on the DPA prior to the FOIA. However, in the Tribunal and higher court decisions flowing from the FOIA, certain aspects of the DPA have frequently been examined when public authorities seek to rely on the s. 40 exemption. Consequently there have been a number of rulings on the scope of personal data and on the ‘legitimate interests’ ground as a legal basis for disclosing such information. These rulings have been based on the DPA which itself implements the EU Data Protection Directive 95/46/EC. But the Directive is due to be replaced by an EU Regulation in the next few years. What will this mean for how the s. 40 exemption under FOIA is interpreted? Continue Reading

Posted in International/EU Privacy

Russia Plans to Increase Fines for Violating Data Protection Laws

Russian-ServersOn 24 February, the Russian State Duma (the lower chamber of the Russian Parliament) adopted in the first reading a draft law introducing amendments to the Russian Code on Administrative Offences (the Draft Law) that would increase the amount of the fines imposed for violating Russian data protection laws and introducing a differentiation of the relevant offences’ types.  Notably, the Draft Law does not introduce any separate fine for violating Russia’s new Data Localization Law, although there is still a possibility that this could be modified as the legislative process progresses. Continue Reading

Posted in Cybersecurity & Data Breaches

New Study Provides Cybersecurity Insights for Corporate Counsel

Emergence of Cybersecurity lawA recently-released research study published by Indiana University’s Bloomington School of Law highlights the rising importance of cybersecurity law and provides current insights on the role lawyers are playing to help protect companies from cyber threats. The study, entitled “The Emergence of Cybersecurity Law,” is based on a survey of corporate law departments as well as interviews conducted with lawyers, consultants, and academic experts. Continue Reading

Posted in Consumer Privacy

Privacy in the Machine World

robot FaceIn 2014, the Internet of Things (IoT) and big data were two of the hottest buzz words among privacy professionals. This year, “robotics” may be one of our oft-spoken words. In this post, we look at two of the challenges that robotics brings. One challenge facing privacy professionals is how to address potential privacy issues as autonomous robots powered by big data and network connectivity are brought into our personal spaces. Another, often equally challenging issue, is how to implement robotics in a legal and regulatory landscape that was designed, in many cases, for the relatively slow-paced technologies of the Internet where the chirps of dial-up modems broadcast our connections. Continue Reading

Posted in Consumer Privacy

White House Releases Memorandum on Safeguarding Privacy, Civil Rights, and Civil Liberties in the Domestic Use of Unmanned Aircraft Systems

shutterstock_149083385On February 15, the White House issued a Presidential Memorandum on safeguarding privacy, civil rights, and civil liberties in the domestic use of Unmanned Aircraft Systems (UAS). The memorandum launches a multi-stakeholder process to establish voluntary baseline privacy standards for commercial use of UAS and establishes principles that will govern the federal government’s use of UAS.

The Presidential Memorandum, which was issued in conjunction with the Federal Aviation Administration’s proposed framework of regulations for the use of certain small UAS, is the latest in a series of activities by policymakers to address privacy concerns associated with the use of UAS in governmental and civilian settings. In December, Sen. Jay Rockefeller (D-WV) released his proposed Unmanned Aircraft Systems Privacy Act of 2014, which would establish rules on data collection and use by UAS operators. Additionally, in the last two years, several states, including California, Idaho, Indiana, Louisiana, North Carolina, Oregon, Tennessee, Texas, and Wisconsin enacted privacy laws that impact commercial and private use of UAS. Numerous states also have passed laws restricting law enforcement use of UAS. Continue Reading

Posted in International/EU Privacy

2015: The Turning Point for Data Privacy Regulation in Asia?

2014 was a very eventful year for data privacy regulation in Asia and there are reasons to believe that 2015 will represent a turning point for the region as established privacy regimes are toughened and new regimes enacted in recent years begin to mature.

The past year saw a number of significant regulatory developments, in particular the implementation of new, comprehensive “European-style” privacy laws in Singapore and Malaysia, the amendment of China’s consumer protection law to include data privacy principles and increased financial penalties in South Korea. Continue Reading

Posted in Consumer Privacy, International/EU Privacy

Sweep Reveals Scale of Cookie Consent Non-Compliance

cookies-shutterstock_76913044_250The results of an international investigation into the cookie consent practices of 478 websites frequently visited by European citizens have now been published.  The outcome is perhaps unsurprising: cookies are used en masse by websites operating in Europe, their expiry dates are often excessive, and crucially, not enough is being done to provide notice and obtain valid consent for the use of cookies and other device identifying technologies.

The specific websites that were investigated are not identified (as yet), however those selected were amongst the 250 most frequently visited by individuals within each member state taking part in the investigation (as ranked by Alexa.com).  Sites in the media, e-commerce and public sectors were targeted in particular because they are perceived by the EU data protection regulators to present the greatest data protection and privacy risks to EU citizens. Continue Reading

Posted in International/EU Privacy

The Most Delicate Balance of Our Time

Public atrocities always attract some kind of political reaction. Generally, the more brutal the atrocity, the harsher the reaction. It is understandable from the perspective of political responsibility. So when defenceless people are mercilessly attacked by gunmen as punishment for their satirical views, a very visible reaction is to be expected. However, political reactions to grave situations need not only visibility but measured thinking and careful decision-making. The reaction to a violent and criminal act can often have more far-reaching implications than the act itself, leading to an escalation of violence. At the same time, doing nothing to protect citizens from harm is not a responsible option. As with many political decisions, securing public safety is a balancing exercise of robustness and restraint. Continue Reading